DoT support with client ID

@girish
also a big thank you from my side - the solution of software-version and adguard works like a charm

@LoudLemur I use the smallest VPS with SSD (Cloud VPS S). For my small family (e.g. for using Nextcloud and Vaultwarden) this is more than sufficient, at least for my needs.

i use contabo. in my opinion, it's one of the cheapest on the market. you can also add additional backup storage. If you place more value on memory than speed, you can also choose SSD instead of NVMe. Then 8 cores with 30 GB RAM and 800 GB SSD only cost 14.99 € - https://contabo.com/en/vps/

@timconsidine The installation via PlayStore of "Private24" works without problems. I was able to click through the functions after launching the app. The scan function also works. I don't see any problems for the login either.

@jdaviescoates I had also tested /e/ OS and CalyxOS. However, the MicroG implementation does not match the functionality of the "real" Google services. I know, we can have philosophical discussions here, each system has its specific advantages and disadvantages.

What should be mentioned ... the dual SIM support also works in Grapheneos (first SIM as a card, second SIM as an eSIM) and what I'm particularly happy about is that Google has apparently solved the fingerprint problems of the Pixel 6 (generally in AOSP and thus presumably also for CalyxOS).

My phone has a hard-shell-glass and the fingerprint reader works very well. Sometimes I also use the outdoor case from SP-Connect (with plastic window) and the fingerprint reader still works.

@infogulch done. everything works fine so far. connected to github and cloned any repository ... at least the app guided me through the process. What exactly you can do with it now is not clear to me at once for notes I use other apps. I hope I could help you with this...

@timconsidine the game changer actually seems to be the possibility to install the regular Play Services with Play Store in Grapheneos. i could not see any disadvantages to this yet, so far i could use all apps. About the functionality of the sandbox I could only repeat what Daniel Micay writes on his website. Daniel has also built a bypass function for the location requests by Google services. These are routed through the OS and served from there. Google gets very little of this and the apps get their "fake" location info.

I use the banking apps from DKB, ING, Lbb-Berlin (Amazon Prime VISA), N26 and PayPal. Everything works.

I used to be a hard iPhone and Mac user, but switched from iOS completely to AOSP with GrapheneOS and I'm waiting for a Linux notebook with a good processor that can replace Apple's M1.

Would you like me to test an app for you? Of course, only the start of the app and the general functions?

@humptydumpty I do not see any limitations in the apps (except, as mentioned, GPay does not work). In terms of data protection and privacy, and the user's own control over data sharing, GrapheneOS clearly beats iOS here. This already starts with the use of DOT via dns.adguard.com or the service from nextdns.io, which also offer great adblockers. In addition, TrackerControl can still be used via F-Droid and every service (app) runs in its own sandbox (including GooglePlay and Google services).

What else came to my mind when comparing devices. The Pixel 6 has a better camera compared to the 6a, which you can also use with the original app "Google Camera". I advise you to install the "GCam Photos Preview" from the CalyxOS repository, so that you can immediately access the gallery from the Camera app.

@humptydumpty Since the Pixel 6 is now available at a discount, you only pay about 50 Euros more than for the brand new 6a.
Grapheneos also needs some time to support new devices. Personally, I own the Pixel 6 with Grapheneos and am more than happy with it. Grapheneos comes with a small app store that allows you to install the PlayStore very easily. All banking apps even work for me, and apart from Google Pay, I have not yet come across an app that did not work. Netflix is strangely not displayed via the PlayStore, but can be obtained via Aurora-Store without any problems.

Furthermore, f-droid (droid-ify or Neo Store) gives you all the freedom and options to try out alternative apps. I switched from iPhone to Andoid and have not regretted it so far - I love my freedom

@girish Hi, I just had the same problem as "orangetech" and the same wish to use the client id as access restriction. What I don't understand:
I use my domain via netcup API and it was created for me by cloudron (probably) a wildcard certificate.
Why can't this wildcard certificate be used for the AdGuard app? When I check the certificate in the AdGuard web interface, it shows me that the certificate used is only valid for the main domain.
It would be nice if the client ID filtering option becomes possible.

@girish perfect! That's cool

@7dowWilkes the problem for me is actually the webserver, which has to make the policy available. probably this is the actual feature-request, if cloudron doesn't offer this possibility yet

you can find the RFC - Proposed Standard at https://datatracker.ietf.org/doc/rfc8461/

you only need 3 records in your dns:

1. _mta-sts.example.com. IN TXT "v=STSv1; id=20160831085700Z;" --> the id is a time-stamp for the policy
2. _smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:postmaster@example.com" --> for error analysis and for an MTA-STS validator
3. mta-sts.example.com. IN A IP-of-your-webserver --> to propagate the policy under https://mta-sts.example.com/.well-known/mta-sts.txt

The policy could look like this:
version: STSv1
mode: enforce
max_age: 2419200
mx: my.example.org

instead of enforce you can also choose "testing" or "none"
see also https://support.google.com/a/answer/9276511?hl=en

cloudron would therefore "only" need a central webservice via which the policy under ".well-known/mta-sts.txt" could be published to the respective domains in cloudron

the dns entries could also be set automatically by cloudron or once manually by the domain-owner

Hello all,
is there a way in cloudron to propagate a mts-sts-policy?
For this a txt-file would have to be accessible under a certain domain, e.g. https://mta-sts.domain.org/.well-known/mta-sts.txt

If there is not something like this in cloudron yet, would this be implementable in principle?

Many thanks and greetings

@girish thank you very much, I will do that

Re: Free Plan

Hello all,

I tried the Pro account for a month and now wanted to switch back to the Free account. Except for two apps, I have uninstalled everything again. Unfortunately, I can not make any updates, because I am prompted to renew the subscription for the paid account.

Does anyone know how to get back into the free account?

Greetings

thank you all. i've almost resigned myself to the fact that it doesn't work with simple gui settings. i also don't know enough to tinker with config files on my own. i asked my colleague again about his settings on synology. he redirects port 443 to the default port 1194 via his home router. So he uses the router-nat, is reachable from outside via 443 and simply routes to the VPN instance.

there is probably no comparable NAT function in cloudron, is there?

while searching the internet i found the "haproxy" in docker-hub. maybe such a container (app) could transparently redirect from a host with port 443 to an internal ip with port 7494. but this is probably going too far and i don't want to overuse your help.

@mehdi said in OpenVPN on Port 443:

actually, it's supposed to be very hard to distinguish between OpenVPN TCP and HTTPS traffic on a network level, because they both are in an SSL tunnel, so a firewall cannot see into it and know what kind of protocol is going on inside the tunnel.

a colleague of mine, who works in the same environment as me, uses OpenVPN via his Synology DiskStation on port 443 and it works there. this confirms what mehdi said. i will keep looking for ways...

ok i understand. thank you both for your help!

hello all,
is it possible to use OpenVPN via TCP on port 443? Unfortunately cloudron does not allow this in the app option menu. Background is that the firewall in my usage area only allows connections via port 443 and blocks the default VPN port 7494.